The week in cyber — 1 to 5 June 2026

A self-propagating worm hiding under Red Hat's npm name, two actively-exploited flaws at the edge and the core of the typical UK network, an Android zero-day in the June update, and the Cyber Security and Resilience Bill reaching its final Commons stage.

Four things from the past working week that a UK board should know about, in the order they would matter if you had to brief a chair over coffee on Monday morning. I have left out the noise. Where I have left something in, it is because there is a decision attached to it.

1. A supply-chain worm wearing Red Hat's name

On Monday 1 June, Red Hat disclosed RHSB-2026-006, a compromise of more than thirty packages published under the @redhat-cloud-services npm namespace. A compromised developer account was used to inject a credential harvester that runs automatically on every npm install, before any application code executes, sweeping GitHub Actions secrets and AWS, GCP, Azure, Kubernetes, HashiCorp Vault and npm tokens. Help Net Security classed it as a fresh Mini Shai-Hulud wave; Wiz tracked it as Miasma. The affected packages were pulled well over a hundred thousand times a week.

What makes this worse than a routine typosquat is that it self-propagates. Using stolen publishing tokens and npm's two-factor bypass parameter, the malware republishes backdoored versions of other packages on its own, including against accounts that had 2FA enabled. A trusted vendor name in the package path was no protection at all.

For boards. This is two questions. First, do you have a software bill of materials for the services your customers touch, and can you act on a credential-theft disclosure in days rather than weeks. Second, does your build pipeline execute third-party install scripts with standing access to your cloud and CI secrets. If a single poisoned package can read your deployment tokens, your blast radius is your whole estate, not one repository.

2. Two holes being walked through, one at the edge and one at the core

The week opened with two unauthenticated, actively-exploited flaws that bracket the typical UK network. At the perimeter, CVE-2026-3055 in Citrix NetScaler ADC and Gateway is a memory overread in the SAML identity-provider path that yields remote code execution on an internet-facing appliance; Fortinet has now confirmed large-scale exploitation, and it has sat on CISA's exploited-vulnerabilities catalogue since late March. At the core, CVE-2026-41089 is a Windows Netlogon stack overflow, CVSS 9.8, that gives an unauthenticated attacker SYSTEM on a domain controller with no user interaction. The Centre for Cybersecurity Belgium warned that it is exploited in the wild; Microsoft shipped the fix in May's Patch Tuesday.

A domain controller is not one server among many. Compromise one and the attacker can mint credentials for every domain-joined machine you own. Partial patching is worse than useless here: leave one controller unpatched and you have left the door open.

For boards. Ask two specific things. Are all domain controllers patched against Netlogon in a single maintenance window, not a phased rollout. And do you have a current inventory of internet-facing NetScaler instances, with SAML configurations checked, because edge appliances are exactly the assets nobody owns until they are breached.

3. An Android zero-day in the monthly update

On 2 June, Google's June Android security update addressed 124 vulnerabilities, including CVE-2025-48595, a high-severity flaw in the Android framework already under active exploitation and requiring no user interaction. This is the part of the estate boards routinely forget: the phones in pockets, including personal devices enrolled under bring-your-own-device, that hold mail, multi-factor prompts and document access.

For boards. What is the patch service-level agreement for the corporate mobile fleet, and how quickly does it reach managed personal devices. The honest answer for most organisations is that they do not know, because mobile patching is delegated to the user and the handset manufacturer. A flaw that needs no interaction does not wait for the user to get round to it.

4. The Cyber Security and Resilience Bill reaches its final Commons stage

The Cyber Security and Resilience (Network and Information Systems) Bill is down for Report Stage and Third Reading on 10 June, after which it passes to the House of Lords. As the Commons Library briefing sets out, it rewrites the 2018 NIS Regulations, draws managed service providers and large data centres into scope, raises incident-reporting obligations and sharpens regulators' enforcement powers. It is also the route by which the UK reaches broad alignment with the EU's NIS2 without adopting it wholesale.

For boards. If you sell services to an operator of essential services, a relevant digital service provider, the NHS or central government, the scoping question is no longer theoretical, because the Bill is about to clear the Commons largely as drafted. Ask your CISO for a written gap assessment against the current text now. It is cheaper than discovering the gap from a regulator after Royal Assent.

The thread that ties this together

Every item this week is about access you have already granted, and forgotten you granted. A package your engineers trusted because of the name on it. An appliance at the edge and a controller at the core that someone provisioned years ago and no one has owned since. A phone enrolled once and never patched. A regulatory perimeter that is about to expand to include suppliers who have never thought of themselves as in scope. None of this is exotic; all of it is access that outlived the attention paid to it.

So the question to take into next week is a dull one, which is rather the point: who, by name, owns the inventory of every place your organisation has handed out standing access, and when did they last look at it?